User Group Management

This chapter provides information about setting up and managing user groups in Cisco Secure ACS for Windows Server to control authorization. Cisco Secure ACS enables you to group network users for more efficient administration. Each user can belong to only one group in Cisco Secure ACS. You can establish up to 500 groups to effect different levels of authorization.

Cisco Secure ACS also supports external database group mapping; that is, if your external user database distinguishes user groups, these groups can be mapped into Cisco Secure ACS. And if the external database does not support groups, you can map all users from that database to a Cisco Secure ACS user group. For information about external database mapping, see "User Group Mapping and Specification".

Before you configure Group Setup, you should understand how this section functions. Cisco Secure ACS dynamically builds the Group Setup section interface depending on the configuration of your network devices and the security protocols being used. That is, what you see under Group Setup is affected by settings in the Network Configuration and Interface Configuration sections.

About User Group Setup Features and Functions

The Group Setup section of the Cisco Secure ACS HTML interface is the centralized location for operations regarding user group configuration and administration. For information about network device groups (NDGs), see Network Device Group Configuration.

Default Group

If you have not configured group mapping for an external user database, Cisco Secure ACS assigns users who are authenticated by the Unknown User Policy to the Default Group the first time they log in. The privileges and restrictions for the default group are applied to first-time users. If you have upgraded from a previous version of Cisco Secure ACS and kept your database information, Cisco Secure ACS retains the group mappings you configured before upgrading.

Group TACACS+ Settings

Cisco Secure ACS enables a full range of settings for TACACS+ at the group level. If a AAA client has been configured to use TACACS+ as the security control protocol, you can configure standard service protocols, including PPP IP, PPP LCP, ARAP, SLIP, and shell (exec), to be applied for the authorization of each user who belongs to a particular group.

Note You can also configure TACACS+ settings at the user level. User-level settings always override group level settings.

Cisco Secure ACS also enables you to enter and configure new TACACS+ services. For information about how to configure a new TACACS+ service to appear on the group setup page, see Protocol Configuration Options for TACACS+.

If you have configured Cisco Secure ACS to interact with a Cisco device-management application, new TACACS+ services may appear automatically, as needed, to support the device-management application. For more information about Cisco Secure ACS interaction with device-management applications, see Support for Cisco Device-Management Applications.

You can use the Shell Command Authorization Set feature to configure TACACS+ group settings. This feature enables you to apply shell commands to a particular user group in the following ways:

•Assign a shell command authorization set, which you have already configured, for any network device.

•Assign a shell command authorization set, which you have already configured, to particular NDGs.

•Permit or deny specific shell commands, which you define, on a per-group basis.

Group Disablement

You perform this procedure to disable a user group and, thereby, to prevent any member of the disabled group from authenticating.

Note Group Disablement is the only setting in Cisco Secure ACS where the setting at the group level may override the setting at the user level. If group disablement is set, all users within the disabled group are denied authentication, regardless of whether or not the user account is disabled. However, if a user account is disabled it remains disabled regardless of the status of the corresponding user group disablement setting. In other words, when group and user account disablement settings differ, Cisco Secure ACS defaults to preventing network access.

To disable a group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select the group you want to disable, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 In the Group Disabled table, select the check box labeled This group is disabled - and all users of this group are disabled.

Enabling VoIP Support for a User Group

Note If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Voice-over-IP (VoIP) Group Settings check box.

Perform this procedure to enable support for the null password function of VoIP. This enables users to authenticate (session or telephone call) on only the user ID (telephone number).

When you enable VoIP at the group level, all users in this group become VoIP users, and the user IDs are treated similarly to a telephone number. VoIP users do not need to enter passwords to authenticate.

Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Setting Callback Options for a User Group

Callback is a command string that is passed back to the access server. You can use callback strings to initiate a modem to call the user back on a specific number for added security or reversal of line charges. There are three options, as follows:

•No callback allowed—Disables callback for users in this group. This is the default setting.

•Use Windows Database callback settings (where possible)—Uses the Microsoft Windows callback settings. If a Windows account for a user resides in a remote domain, the domain in which Cisco Secure ACS resides must have a two-way trust with that domain for the Microsoft Windows callback settings to operate for that user.

Note The password aging feature does not operate correctly if you also use the callback feature. When callback is used, users cannot receive password aging messages at login.

To set callback options for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 Select a group from the Group list, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 In the Callback table, select one of the following three options:

Typically, you define (shared) NARs from within the Shared Components section so that these restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction. You must have enabled the Group-Level Shared Network Access Restriction check box on the Advanced Options page of the Interface Configuration section for these options to appear in the Cisco Secure ACS HTML interface.

However, Cisco Secure ACS also enables you to define and apply a NAR for a single group from within the Group Setup section. You must have enabled the Group-Level Network Access Restriction setting under the Advanced Options page of the Interface Configuration section for single group IP-based filter options and single group CLI/DNIS-based filter options to appear in the Cisco Secure ACS HTML interface.

Note When an authentication request is forwarded by proxy to a Cisco Secure ACS server, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.

To set NARs for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 To apply a previously configured shared NAR to this group, follow these steps:

b. To specify whether one or all shared NARs must apply for a member of the group to be permitted access, select one of the following options:

•All selected shared NARS result in permit

•Any one selected shared NAR results in permit

c. Select a shared NAR name in the Shared NAR list, and then click --> (right arrow button) to move the name into the Selected Shared NARs list.

Tip To view the server details of the shared NARs you have selected to apply, you can click either View IP NAR or View CLID/DNIS NAR, as applicable.

Step 4 To define and apply a NAR, for this particular user group, that permits or denies access to this group based on IP address, or IP address and port, follow these steps:

Tip You should define most NARs from within the Shared Components section so that the restrictions can be applied to more than one group or user. For more information, see Adding a Shared Network Access Restriction.

•AAA Client—Select either All AAA Clients or the name of the NDG or the name of the individual AAA client to which to permit or deny access.

•Port—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.

•Address—Type the IP address or addresses to filter on when performing access restrictions. You can use the wildcard asterisk (*).

Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users.

d. Click Enter.

The specified the AAA client, port, and address information appears in the NAR Access Control list.

Step 5 To permit or deny access to this user group based on calling location or values other than an established IP address, follow these steps:

a. Select the Define CLI/DNIS-based access restrictions check box.

b. To specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, select one of the following:

•Permitted Calling/Point of Access Locations

•Denied Calling/Point of Access Locations

c. From the AAA Client list, select either All AAA Clients or the name of the NDG or the name of the particular AAA client to which to permit or deny access.

d. Complete the following boxes:

Note You must type an entry in each box. You can use the wildcard asterisk (*) for all or part of a value. The format you use must match the format of the string you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.

•PORT—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports.

•CLI—Type the CLI number to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access based on part of the number or all numbers.

Tip This is also the selection to use if you want to restrict access based on other values, such as a Cisco Aironet client MAC address. For more information, see About Network Access Restrictions.

•DNIS—Type the DNIS number to restrict access based on the number into which the user will be dialing. You can use the wildcard asterisk (*) to permit or deny access based on part of the number or all numbers.

Tip This is also the selection to use if you want to restrict access based on other values, such as a Cisco Aironet AP MAC address. For more information, see About Network Access Restrictions.

Note The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although Cisco Secure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and Cisco Secure ACS cannot accurately apply it to users.

e. Click Enter.

The information, specifying the AAA client, port, CLI, and DNIS appears in the list.

Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Setting Max Sessions for a User Group

Note If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Max Sessions check box.

Perform this procedure to define the maximum number of sessions available to a group, or to each user in a group, or both. The settings are as follows:

•Sessions available to group—Sets the maximum number of simultaneous connections for the entire group.

•Sessions available to users of this group—Sets the maximum number of total simultaneous connections for each user in this group.

Tip As an example, Sessions available to group is set to 10 and Sessions available to users of this group is set to 2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in.

Note A session is any type of connection supported by RADIUS or TACACS+, such as PPP, NAS prompt, Telnet, ARAP, IPX/SLIP.

Note The default setting for group Max Sessions is Unlimited for both the group and the user within the group.

To configure max sessions settings for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 In the Max Sessions table, under Sessions available to group, select one of the following options:

•Unlimited—Select to allow this group an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)

•n—Type the maximum number of simultaneous sessions to allow this group.

Step 4 In the lower portion of the Max Sessions table, under Sessions available to users of this group, select one of the following two options:

•Unlimited—Select to allow each individual in this group an unlimited number of simultaneous sessions. (This effectively disables Max Sessions.)

•n—Type the maximum number of simultaneous sessions to allow each user in this group.

Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Setting Usage Quotas for a User Group

Note If this feature does not appear, click Interface Configuration, click Advanced Options, and then select the Usage Quotas check box.

Perform this procedure to define usage quotas for members of a group. Session quotas affect each user of a group individually, not the group collectively. You can set quotas for a given period in two ways:

•By total duration of session

•By the total number of sessions

If you make no selections in the Usage Quotas section for a group, no usage quotas are enforced on users assigned to that group, unless you configure usage quotas for the individual users.

Note The Usage Quotas section on the Group Settings page does not show usage statistics. Usage statistics are available only on the settings page for an individual user. For more information, see Setting User Usage Quotas Options.

When a user exceeds his or her assigned quota, Cisco Secure ACS denies that user access upon attempting to start a session. If a quota is exceeded during a session, Cisco Secure ACS allows the session to continue.

Tip To support time-based quotas, we recommend enabling accounting update packets on all AAA clients. If update packets are not enabled, the quota is updated when the user logs off. If the AAA client through which the user is accessing your network fails, the quota is not updated. In the case of multiple sessions, such as with ISDN, the quota is not updated until all sessions terminate. This means that a second channel will be accepted even if the first channel has exhausted the quota for the user.

To set user usage quotas for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 To define usage quotas based on duration of sessions, follow these steps:

a. In the Usage Quotas table, select the Limit each user of this group to x hours of online time per time unit check box.

b. Type the number of hours to which you want to limit group members in the to x hours box. Use decimal values to indicate minutes. For example, a value of 10.5 would equal ten hours and 30 minutes.

Note Up to 5 characters are allowed in the to x hours box.

c. Select the period for which the quota is effective from the following:

•per Day—From 12:01 a.m. until midnight.

•per Week—From 12:01 a.m. Sunday until midnight Saturday.

•per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month.

•Total—An ongoing count of hours, with no end.

Step 4 To define user session quotas based on number of sessions, follow these steps:

a. In the Usage Quotas table, select the Limit each user of this group to x sessions check box.

b. Type the number of sessions to which you want to limit users in the to x sessions box.

Note Up to 5 characters are allowed in the to x sessions box.

c. Select the period for which the session quota is effective from the following:

•per Day—From 12:01 a.m. until midnight.

•per Week—From 12:01 a.m. Sunday until midnight Saturday.

•per Month—From 12:01 a.m. on the first of the month until midnight on the last day of the month.

Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Configuration-specific User Group Settings

This section details procedures that you perform only as applicable to your particular network security configuration. For instance, if you have no token server configured, you do not have to set token card settings for each group.

Note When a vendor-specific variety of RADIUS is configured for use by network devices, the RADIUS (IETF) attributes are available because they are the base set of attributes, used by all RADIUS vendors per the RADIUS IETF specifications.

The HTML interface content corresponding to these procedures is dynamic, its appearance based upon the following two factors:

•For a particular protocol (RADIUS or TACACS+) to be listed, at least one AAA client entry in the Network Configuration section of the HTML interface must use that protocol. For more information, see AAA Client Configuration.

Setting Token Card Settings for a User Group

Perform this procedure to allow a token to be cached. This means users can use a second B channel without having to enter a second one-time password (OTP).

Caution This option is for use with token caching only for ISDN terminal adapters. You should fully understand token caching and ISDN concepts and principles before implementing this option. Token caching allows you to connect to multiple B channels without having to provide a token for each channel connection. Token card settings are applied to all users in the selected group.

Options for token caching include the following:

•Session—You can select Session to cache the token for the entire session. This allows the second B channel to dynamically go in and out of service.

•Duration—You can select Duration and specify a period of time to have the token cached (from the time of first authentication). If this time period expires, the user cannot start a second B channel.

•Session and Duration—You can select both Session and Duration so that, if the session runs longer than the duration value, a new token is required to open a second B channel. Type a value high enough to allow the token to be cached for the entire session. If the session runs longer than the duration value, a new token is required to open a second B channel.

To set token card settings for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 From the Jump To list at the top of the page, choose Token Cards.

Step 4 In the Token Card Settings table, to cache the token for the entire session, select Session.

Step 5 Also in the Token Card Settings table, to cache the token for a specified time period (measured from the time of first authentication), follow these steps:

Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Setting Enable Privilege Options for a User Group

Note If this section does not appear, click Interface Configuration and then click TACACS+ (Cisco). At the bottom of the page in the Advanced Configuration Options table, select the Advanced TACACS+ features check box.

Perform this procedure to configure group-level TACACS+ enable parameters. The three possible TACACS+ enable options are as follows:

•Max Privilege for Any AAA Client—Select this option to select the maximum privilege level for this user group for any AAA client on which this group is authorized.

•Define max Privilege on a per-network device group basis—Select this option to define maximum privilege levels for an NDG. To use this option, you create a list of device groups and corresponding maximum privilege levels. See your AAA client documentation for information about privilege levels.

Note To define levels in this manner, you must have configured the option in Interface Configuration; if you have not done so already, click Interface Configuration, click Advanced Settings, and then select the Network Device Groups check box.

If you are using NDGs, this option lets you configure the NDG for enable-level mapping rather than having to do it for each user in the group.

To set enable privilege options for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 From the Jump To list at the top of the page, choose Enable Options.

•To set the maximum privilege level for this user group, for any ACS on which this group is authorized, select the Max Privilege for Any Access Server option. Then, select the maximum privilege level from the list.

•To define the maximum NDG privilege level for this user group, select the Define max Privilege on a per-network device group basis option. Then, from the lists, select the NDG and a corresponding privilege level. Finally, click Add Association.

Result: The association of NDG and maximum privilege level appears in the table.

Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Enabling Password Aging for the CiscoSecure User Database

The password aging feature of Cisco Secure ACS enables you to force users to change their passwords under one or more of the following conditions:

•After a specified number of days (age-by-date rules).

•After a specified number of logins (age-by-uses rules).

•The first time a new user logs in (password change rule).

Varieties of Password Aging Supported by Cisco Secure ACS

Cisco Secure ACS supports four distinct password aging mechanisms:

•PEAP and EAP-FAST Windows Password Aging—Users must be in the Windows user database and be using a Microsoft client that supports EAP, such as Windows XP. For information on the requirements and configuration of this password aging mechanism, see Enabling Password Aging for Users in Windows Databases.

•RADIUS-based Windows Password Aging—Users must be in the Windows user database and be using the Windows Dial-up Networking (DUN) client. For information on the requirements and configuration of this password aging mechanism, see Enabling Password Aging for Users in Windows Databases.

•Password Aging for Device-hosted Sessions—Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session. You can also control whether Cisco Secure ACS propagates passwords changed by this feature. For more information, see Local Password Management.

•Password Aging for Transit Sessions—Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed.

Also, to run password aging for transit sessions, the AAA client can be running either RADIUS or TACACS+; and the AAA client must be using Cisco IOS Release 11.2.7 or later and be configured to send a watchdog accounting packet (aaa accounting new-info update) with the IP address of the calling station. (Watchdog packets are interim packets sent periodically during a session. They provide an approximate session length in the event that no stop packet is received to mark the end of the session.)

You can control whether Cisco Secure ACS propagates passwords changed by this feature. For more information, see Local Password Management.

Cisco Secure ACS supports password aging using the RADIUS protocol under MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging over Telnet connections using the RADIUS protocol.

Caution If a user with a RADIUS connection tries to make a Telnet connection to the AAA client during or after the password aging warning or grace period, the change password option does not appear, and the user account is expired.

–Active period—The number of days users will be allowed to log in before being prompted to change their passwords. For example, if you enter 20, users can use their passwords for 20 days without being prompted to change them. The default Active period is 20 days.

–Warning period—The number of days users will be notified to change their passwords. The existing password can be used, but the Cisco Secure ACS presents a warning indicating that the password must be changed and displays the number of days left before the password expires. For example, if you enter 5 in this box and 20 in the Active period box, users will be notified to change their passwords on the 21st through 25th days.

–Grace period—The number of days to provide as the user grace period. The grace period allows a user to log in once to change the password. The existing password can be used one last time after the number of days specified in the active and warning period fields has been exceeded. Then, a dialog box warns the user that the account will be disabled if the password is not changed, and enables the user to change it. Continuing with the examples above, if you allow a 5-day grace period, a user who did not log in during the active and warning periods would be permitted to change passwords up to and including the 30th day. However, even though the grace period is set for 5 days, a user is allowed only one attempt to change the password when the password is in the grace period. Cisco Secure ACS displays the "last chance" warning only once. If the user does not change the password, this login is still permitted, but the password expires, and the next authentication is denied. An entry is logged in the Failed-Attempts log, and the user must contact an administrator to have the account reinstated.

Note All passwords expire at midnight, not the time at which they were set.

•Apply age-by-uses rules—Selecting this check box configures Cisco Secure ACS to determine password aging by the number of logins. The age-by-uses rules contain the following settings:

–Issue warning after x logins—The number of the login upon which Cisco Secure ACS begins prompting users to change their passwords. For example, if you enter 10, users are allowed to log in 10 times without a change-password prompt. On the 11th login, they are prompted to change their passwords.

Tip To allow users to log in an unlimited number of times without changing their passwords, type -1.

–Require change after x logins—The number of the login after which to notify users that they must to change their passwords. Continuing with the previous example, if this number is set to 12, users receive prompts requesting them to change their passwords on their 11th and 12th login attempts. On the 13th login attempt, they receive a prompt telling them that they must change their passwords. If users do not change their passwords now, their accounts expire and they cannot log in. This number must be greater than the Issue warning after x login number.

Tip To allow users to log in an unlimited number of times without changing their passwords, type -1.

•Apply password change rule—Selecting this check box forces new users to change their passwords the first time they log in.

The password aging rules are not mutually exclusive; a rule is applied for each check box that is selected. For example, users can be forced to change their passwords every 20 days, and every 10 logins, and to receive warnings and grace periods accordingly.

If no options are selected, passwords never expire.

Unlike most other parameters, which have corresponding settings at the user level, password aging parameters are configured only on a group basis.

Users who fail authentication because they have not changed their passwords and have exceeded their grace periods are logged in the Failed Attempts log. The accounts expire and appear in the Accounts Disabled list.

Before You Begin

•Verify that your AAA client is running the TACACS+ or RADIUS protocol. (TACACS+ only supports password aging for device-hosted sessions.)

•Set up your AAA client to perform authentication and accounting using the same protocol, either TACACS+ or RADIUS.

Step 9 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Enabling Password Aging for Users in Windows Databases

Cisco Secure ACS supports two types of password aging for users in Windows databases. Both types of Windows password aging mechanisms are separate and distinct from the other Cisco Secure ACS password aging mechanisms. For information on the requirements and settings for the password aging mechanisms that control users in the CiscoSecure user database, see Enabling Password Aging for the CiscoSecure User Database.

Note You can run both Windows Password Aging and Cisco Secure ACS Password Aging for Transit Sessions mechanisms concurrently, provided that the users authenticate from the two different databases.

•EAP-FAST password aging—If password aging occurs during phase zero of EAP-FAST, it depends upon EAP-MSCHAPv2 to send and receive the password change messages. If password aging occurs during phase two of EAP-FAST, it depends upon EAP-GTC to send and receive the password change messages. Requirements for implementing the EAP-FAST Windows password aging mechanism include the following:

–The AAA client must support EAP.

–Users must be in a Windows user database.

–Users must be using a client that supports EAP-FAST.

–You must enable EAP-FAST on the Global Authentication Configuration page within the System Configuration section.

Users whose Windows accounts reside in "remote" domains (that is, not the domain within which Cisco Secure ACS is running) can only use the Windows-based password aging if they supply their domain names.

The methods and functionality of Windows password aging differ according to which Microsoft Windows operating system you are using, and whether you employ Active Directory (AD) or Security Accounts Manager (SAM). Setting password aging for users in the Windows user database is only one part of the larger task of setting security policies in Windows. For comprehensive information on Windows procedures, refer to your Windows system documentation.

Setting IP Address Assignment Method for a User Group

Perform this procedure to configure the way Cisco Secure ACS assigns IP addresses to users in the group. The four possible methods are as follows:

•No IP address assignment—No IP address is assigned to this group.

•Assigned by dialup client—Use the IP address that is configured on the dialup client network settings for TCP/IP.

•Assigned from AAA Client pool—The IP address is assigned by an IP address pool assigned on the AAA client.

•Assigned from AAA server pool—The IP address is assigned by an IP address pool assigned on the AAA server.

To set an IP address assignment method for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 From the Jump To list at the top of the page, choose IP Address Assignment.

Step 6 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Assigning a Downloadable IP ACL to a Group

The Downloadable ACLs feature enables you to assign an IP ACL at the group level.

Note You must have established one or more IP ACLs before attempting to assign one. For instructions on how to add a downloadable IP ACL using the Shared Profile Components section of the Cisco Secure ACS HTML interface, see Adding a Downloadable IP ACL.

Tip The Downloadable ACLs table does not appear if it has not been enabled. To enable the Downloadable ACLs table, click Interface Configuration, click Advanced Options, and then select the Group-Level Downloadable ACLs check box.

To assign a downloadable IP ACL to a group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 From the Jump To list at the top of the page, choose Downloadable ACLs.

Tip For ACLs and IP address pools, the name of the ACL or pool as defined on the AAA client should be entered. (An ACL is a list of Cisco IOS commands used to restrict access to or from other devices and users on the network.)

Note Leave the attribute value box blank if the default (as defined on the AAA client) should be used.

Note You can define and download an ACL. Click Interface Configuration, click TACACS+ (Cisco IOS), and then select Display a window for each service selected in which you can enter customized TACACS+ attributes. A box opens under each service/protocol in which you can define an ACL.

Step 5 To allow all services to be permitted unless specifically listed and disabled, you can select the Default (Undefined) Services check box under the Checking this option will PERMIT all UNKNOWN Services table.

Caution This is an advanced feature and should only be used by administrators who understand the security implications.

Step 6 To assign a particular shell command authorization set to be effective on any configured network device, follow these steps:

a. Select the Assign a Shell Command Authorization Set for any network device option.

b. Then, from the list directly below that option, select the shell command authorization set you want applied to this group.

Step 7 To create associations that assign a particular shell command authorization set to be effective on a particular NDG, for each association, follow these steps:

a. Select the Assign a Shell Command Authorization Set on a per Network Device Group Basis option.

b. Select a Device Group and a corresponding Command Set.

Tip You can select a Command Set that will be effective for all Device Groups, that are not otherwise assigned, by assigning that set to the <default> Device Group.

c. Click Add Association.

The associated NDG and shell command authorization set appear in the table.

Step 8 To define the specific Cisco IOS commands and arguments to be permitted or denied at the group level, follow these steps:

a. Select the Per Group Command Authorization option.

b. Under Unmatched Cisco IOS commands, select either Permit or Deny.

If you select Permit, users can issue all commands not specifically listed. If you select Deny, users can issue only those commands listed.

c. To list particular commands to be permitted or denied, select the Command check box and then type the name of the command, define its arguments using standard permit or deny syntax, and select whether unlisted arguments should be permitted or denied.

Caution This is a powerful, advanced feature and should be used by an administrator skilled with Cisco IOS commands. Correct syntax is the responsibility of the administrator. For information on how Cisco Secure ACS uses pattern matching in command arguments, see About Pattern Matching.

Tip To enter several commands, you must click Submit after specifying a command. A new command entry box appears below the box you just completed.

Configuring a PIX Command Authorization Set for a User Group

Use this procedure to specify the PIX command authorization set parameters for a user group. There are three options:

•None—No authorization for PIX commands.

•Assign a PIX Command Authorization Set for any network device—One PIX command authorization set is assigned, and it applies all network devices.

•Assign a PIX Command Authorization Set on a per Network Device Group Basis—Particular PIX command authorization sets are to be effective on particular NDGs.

Before You Begin

•Ensure that a AAA client has been configured to use TACACS+ as the security control protocol.

•On the TACACS+ (Cisco) page of Interface Configuration section, ensure that the PIX Shell (pixShell) option is selected in the Group column.

Step 6 To assign a particular PIX command authorization set to be effective on any configured network device, follow these steps:

a. Select the Assign a PIX Command Authorization Set for any network device option.

b. From the list directly below that option, select the PIX command authorization set you want applied to this user group.

Step 7 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG, for each association, follow these steps:

a. Select the Assign a PIX Command Authorization Set on a per Network Device Group Basis option.

b. Select a Device Group and an associated Command Set.

c. Click Add Association.

The associated NDG and PIX command authorization set appear in the table.

Note To remove or edit an existing PIX command authorization set association, you can select the association from the list, and then click Remove Association.

Configuring Device-Management Command Authorization for a User Group

Use this procedure to specify the device-management command authorization set parameters for a group. Device-management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use Cisco Secure ACS for authorization. There are three options:

•None—No authorization is performed for commands issued in the applicable Cisco device-management application.

•Assign a device-management application for any network device—For the applicable device-management application, one command authorization set is assigned, and it applies to management tasks on all network devices.

•Assign a device-management application on a per Network Device Group Basis—For the applicable device-management application, this option enables you to apply command authorization sets to specific NDGs, so that it affects all management tasks on the network devices belonging to the NDG.

Note This feature requires that you have configured a command authorization set for the applicable Cisco device-management application. For detailed steps, see Adding a Command Authorization Set.

To specify device-management application command authorization for a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 From the Jump To list at the top of the page, choose TACACS+.

The system displays the TACACS+ Settings table section.

Step 4 Use the vertical scrollbar to scroll to the device-management application feature area, where device-management application is the name of the applicable Cisco device-management application.

Step 5 To prevent the application of any command authorization set for the applicable device-management application, select the None option.

Step 6 To assign a particular command authorization set that affects device-management application actions on any network device, follow these steps:

a. Select the Assign a device-management application for any network device option.

b. Then, from the list directly below that option, select the command authorization set you want applied to this group.

Step 7 To create associations that assign a particular command authorization set that affects device-management application actions on a particular NDG, for each association, follow these steps:

a. Select the Assign a device-management application on a per Network Device Group Basis option.

b. Select a Device Group and a corresponding device-management application.

c. Click Add Association.

The associated NDG and command authorization set appear in the table.

Configuring IETF RADIUS Settings for a User Group

These parameters appear only when both the following are true:

•A AAA client has been configured to use one of the RADIUS protocols in Network Configuration.

•Group-level RADIUS attributes have been enabled on the RADIUS (IETF) page in the Interface Configuration section of the HTML interface.

RADIUS attributes are sent as a profile for each user from Cisco Secure ACS to the requesting AAA client. To display or hide any of these attributes, see Protocol Configuration Options for RADIUS. For a list and explanation of RADIUS attributes, see "RADIUS Attributes". For more information about how your AAA client uses RADIUS, refer to your AAA client vendor documentation.

To configure IETF RADIUS attribute settings to be applied as an authorization for each user in the current group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 3 From the Jump To list at the top of the page, choose RADIUS (IETF).

Step 4 For each IETF RADIUS attribute you need to authorize for the current group, select the check box next to the attribute and then define the authorization for the attribute in the field or fields next to it.

Cisco IOS/PIX RADIUS represents only the Cisco VSAs. You must configure both the IETF RADIUS and Cisco IOS/PIX RADIUS attributes.

Note To hide or display Cisco IOS/PIX RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Cisco IOS/PIX RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 2 If you want to use the [009\001] cisco-av-pair attribute to specify authorizations, select the check box next to the attribute and then type the attribute-value pairs in the text box. Separate each attribute-value pair by pressing Enter.

For example, if the current group is used for assigning authorizations to Network Admission Control (NAC) clients to which Cisco Secure ACS assigns a system posture token of Infected, you could specify values for the url-redirect, posture-token, and status-query-timeout attributes as follows:

Step 5 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Configuring Cisco Aironet RADIUS Settings for a User Group

The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a virtual VSA. It is a specialized implementation of the IETF RADIUS Session-Timeout attribute (27) that Cisco Secure ACS uses only when it responds to a RADIUS request from a AAA client using RADIUS (Cisco Aironet). This enables you to provide different timeout values for users accessing your network through wireless and wired access devices. By specifying a timeout value specifically for WLAN connections, you avoid the difficulties that would arise if you had to use a standard timeout value (typically measured in hours) for a WLAN connection (that is typically measured in minutes).

Tip Only enable and configure the Cisco-Aironet-Session-Timeout when some or all members of a group may connect through wired or wireless access devices. If members of a group always connect with a Cisco Aironet Access Point (AP) or always connect only with a wired access device, you do not need to use Cisco-Aironet-Session-Timeout but should instead configure RADIUS (IETF) attribute 27, Session-Timeout.

Imagine a user group Cisco-Aironet-Session-Timeout set to 600 seconds (10 minutes) and that same user group IETF RADIUS Session-Timeout set to 3 hours. When a member of this group connects through a VPN concentrator, Cisco Secure ACS uses 3 hours as the timeout value. However, if that same user connects via a Cisco Aironet AP, Cisco Secure ACS responds to an authentication request from the Aironet AP by sending 600 seconds in the IETF RADIUS Session-Timeout attribute. Thus, with the Cisco-Aironet-Session-Timeout attribute configured, different session timeout values can be sent depending on whether the end-user client is a wired access device or a Cisco Aironet AP.

The Cisco-Aironet-Session-Timeout VSA appears on the Group Setup page only when both the following are true:

•A AAA client has been configured to use RADIUS (Cisco Aironet) in Network Configuration.

Note To hide or display the Cisco Aironet RADIUS VSA, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients configured to use RADIUS (Cisco Aironet), the VSA settings do not appear in the group configuration interface.

To configure and enable the Cisco Aironet RADIUS attribute to be applied as an authorization for each user in the current group, follow these steps:

Step 6 In the [5842\001] Cisco-Aironet-Session-Timeout box, type the session timeout value (in seconds) that Cisco Secure ACS is to send in the IETF RADIUS Session-Timeout (27) attribute when the AAA client is configured in Network Configuration to use the RADIUS (Cisco Aironet) authentication option. The recommended value is 600 seconds.

For more information about the IETF RADIUS Session-Timeout attribute, see "RADIUS Attributes", or your AAA client documentation.

The default attribute setting displayed for RADIUS is Ascend-Remote-Addr.

Note To hide or display Ascend RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Ascend RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (Ascend).

Step 5 In the Ascend RADIUS Attributes table, determine the attributes to be authorized for the group by selecting the check box next to the attribute. Be sure to define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes", or your AAA client documentation.

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the Cisco Secure ACS HTML interface or how those attributes might be configured.

The Cisco VPN 3000 Concentrator RADIUS attribute configurations appear only if both the following are true:

•A AAA client has been configured to use RADIUS (Cisco VPN 3000) in Network Configuration.

Note To hide or display Cisco VPN 3000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Cisco VPN 3000 Concentrator RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 3000).

Step 5 In the Cisco VPN 3000 Concentrator RADIUS Attributes table, determine the attributes to be authorized for the group by selecting the check box next to the attribute. Further define the authorization for that attribute in the field next to it.

For more information about attributes, see "RADIUS Attributes", or the documentation for network devices using RADIUS.

Note To hide or display Cisco VPN 5000 Concentrator RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Cisco VPN 5000 Concentrator RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (Cisco VPN 5000).

Step 5 In the Cisco VPN 5000 Concentrator RADIUS Attributes table, select the attributes that should be authorized for the group by selecting the check box next to the attribute. Further define the authorization for each attribute in the field next to it.

For more information about attributes, see "RADIUS Attributes", or the documentation for network devices using RADIUS.

Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Configuring Microsoft RADIUS Settings for a User Group

Microsoft RADIUS provides VSAs supporting MPPE, which is an encryption technology developed by Microsoft to encrypt PPP links. These PPP connections can be via a dial-in line, or over a VPN tunnel.

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, Cisco Secure ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the Cisco Secure ACS HTML interface or how those attributes might be configured.

The Microsoft RADIUS attribute configurations appear only when both the following are true:

•A network device has been configured in Network Configuration that uses a RADIUS protocol that supports the Microsoft RADIUS VSA.

•Group-level Microsoft RADIUS attributes have been enabled on the RADIUS (Microsoft) page of the Interface Configuration section.

The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSA:

•Cisco IOS/PIX

•Cisco VPN 3000

•Ascend

Microsoft RADIUS represents only the Microsoft VSA. You must configure both the IETF RADIUS and Microsoft RADIUS attributes.

Note To hide or display Microsoft RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Microsoft RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (Microsoft).

Step 5 In the Microsoft RADIUS Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes", or the documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.

Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Configuring Nortel RADIUS Settings for a User Group

The Nortel RADIUS attribute configurations appear only when both the following are true:

•A network device has been configured in Network Configuration that uses a RADIUS protocol that supports the Nortel RADIUS VSA.

•Group-level Nortel RADIUS attributes have been enabled on the RADIUS (Nortel) page of the Interface Configuration section.

Nortel RADIUS represents only the Nortel VSA. You must configure both the IETF RADIUS and Nortel RADIUS attributes.

Note To hide or display Nortel RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Nortel RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (Nortel).

Step 5 In the Nortel RADIUS Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes", or the documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.

Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Configuring Juniper RADIUS Settings for a User Group

Juniper RADIUS represents only the Juniper VSA. You must configure both the IETF RADIUS and Juniper RADIUS attributes.

Note To hide or display Juniper RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable Juniper RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (Juniper).

Step 5 In the Juniper RADIUS Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes", or the documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.

Step 7 To continue specifying other group settings, perform other procedures in this chapter, as applicable.

Configuring BBSM RADIUS Settings for a User Group

BBSM RADIUS represents only the BBSM RADIUS VSA. You must configure both the IETF RADIUS and BBSM RADIUS attributes.

Note To hide or display BBSM RADIUS attributes, see Setting Protocol Configuration Options for Non-IETF RADIUS Attributes. A VSA applied as an authorization to a particular group persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this (vendor) type configured, the VSA settings do not appear in the group configuration interface.

To configure and enable BBSM RADIUS attributes to be applied as an authorization for each user in the current group, follow these steps:

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (BBSM).

Step 5 In the BBSM RADIUS Attributes table, specify the attribute to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes", or the documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.

Step 3 From the Group list, select a group, and then click Edit Settings.

The Group Settings page displays the name of the group at its top.

Step 4 From the Jump To list at the top of the page, choose RADIUS (custom name).

Step 5 In the RADIUS (custom name) Attributes table, specify the attributes to be authorized for the group by selecting the check box next to the attribute. Where applicable, further define the authorization for that attribute in the field next to it. For more information about attributes, see "RADIUS Attributes", or the documentation for network devices using RADIUS.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.

The User List page for the particular group selected opens in the display area.

Step 4 To open a user account (to view, modify, or delete a user), click the name of the user in the User List.

The User Setup page for the particular user account selected appears.

Resetting Usage Quota Counters for a User Group

You can reset the usage quota counters for all members of a group, either before or after a quota has been exceeded.

To reset usage quota counters for all members of a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select the group.

Step 3 In the Usage Quotas section, select the On submit reset all usage counters for all users of this group check box.

Step 4 Click Submit at the bottom of the browser page.

The usage quota counters for all users in the group are reset. The Group Setup Select page appears.

Renaming a User Group

To rename a user group, follow these steps:

Step 1 In the navigation bar, click Group Setup.

The Group Setup Select page opens.

Step 2 From the Group list, select the group.

Step 3 Click Rename Group.

The Renaming Group: Group Name page appears.

Step 4 Type the new name in the Group field. Group names cannot contain angle brackets (< or >).

Step 5 Click Submit.

Note The group remains in the same position in the list. The number value of the group is still associated with this group name. Some utilities, such as the database import utility, use the numeric value associated with the group.

The Select page opens with the new group name selected.

Saving Changes to User Group Settings

After you have completed configuration for a group, be sure to save your work.

To save the configuration for the current group, follow these steps:

Step 1 To save your changes and apply them later, click Submit. When you are ready to implement the changes, click System Configuration, and then click Service Control, and click Restart.